security question, and best way to set up for myself and spouse
Hi,
I'm in the middle of the trial period, and love what I see so far - I feel safer with every password I update and throw in my vault :) I have two questions; one that has me sitting on the fence, and the other about the best way to set up 1Password for my wife and I:
(1)
I've read that the 'least secure' part of password managers is the auto-fill: a compromised website may have hidden fields that could get autofilled, providing the bad guys my password(s). Are there steps I can take to feel secure in my use of 1Password's auto-fill? What security features do 1Password browser extensions have?
(2)
Would you recommend my spouse and I share a primary vault, or have separate ones? Outside of 'do we trust each other' questions, are there best-practices that you'd recommend?
Thanks for you time,
Tom
Comments
-
Hi @Tom00
I'll answer 2. and I'm going to ask about 1. for you.
- There is no right and wrong here at all, it's really down to the both of you. Sharing a single Primary vault is certainly the easiest to set up but if you prefer a single shared Secondary vault and individual primary ones that's quite easy too. There could be one small advantage (depending on your perspective) to separate Primary vaults. Say you both have individual accounts on a lot of sites e.g. Amazon, Facebook, internet banking etc. then if you have a single Primary vault you'd need to establish an agreed protocol for identifying which is which. Now tags can help but when you're looking at a list of possible Login items in 1Password mini and you each have one titled Amazon it won't be as easy to determine which is which. I have multiple Gmail accounts so I tend to add something in brackets after Gmail so I can tell which is which based on just the title. As long as that doesn't bother you then a single Primary vault is fine if that's all you want.
So basically multiple vaults can serve two purposes, they can act as a security divide or a logical divide which is more how I use them. How you proceed is completely up to you. You could start with a single Primary and then if you decide you wish to split it we can help with that, it's all up to you :smile:
While we wait for a response to 1. if you have any other questions do feel free to ask.
0 -
littlebobbytables,
Thanks for your response. We've tested the single-primary approach by putting both of our Facebook accounts in a single vault, with our names appended to the title - works well; this is probably the approach we'll use.
Regarding 1: 1Password at least requires user-interaction to start an auto-fill, which is good. I probably have to learn to be a smarter internet-browser; know what to be suspicious of, that kind of thing. I'd still be interested in any thoughts though!0 -
Hi @Tom00
I know browsers used to autofill login details for you but I think everybody has moved away from that model for security reasons. I know I was a smug Opera user many years ago when it was shown that all other browsers would leak Login credentials and Opera was the only browser that didn't thanks to this very reason.
Now I've asked about your first question. We don't fill in hidden fields and we try to protect against filling into iframes but I'm being told that if a site is compromised enough there are many ways we simply can't protect against. So if a site has been sufficiently compromised not even a password manager will protect you.
What will help mitigate this though is the fact that you're able to use a unique and complex password at each site so even if one site is compromised it limits the damage that can be done.
We can help protect against the bog standard phishing attempts though. Given we only match a Login based on the actual URL if you think you're viewing your bank's website but it's actually some dodgy URL then 1Password won't suggest the Login item due to URL mismatch.
If you have any further questions do please ask away :smile:
0
